Solved

How can I stop warning re mysterious trojan or clean my PC of mchinjdrv.sys?

Posted on 2008-10-03
9
885 Views
Last Modified: 2013-12-04
Recently my AVG software has reported on startup that a trojan threat has been detected in c:\windows\system32\drivers\mchinjdrv.sys.

I've done some research and some say that this is a legit thing and others say it is indeed a trojan threat.  When the warning appears I can choose to Heal but it can't find the file so can't heal it.  I can choose to move it to the Virus Vault but as it can't find it there's nothing to move.  If I choose to Ignore it the box goes away but reappears again on startup.

Regedit won't let me chop the Legacy entries out of the registry and a search of the whole PC (including hidden files) can't find this file either.  I've run a full AVG virus scan and that comes up clean as do scans with Advanced WIndowsCare, RegCure, XsoftSpy and a scanner I tried from Sophos which claimed to search for hidden rootkits.

I've seen a similar issue reported in EE and it mentions something called Rootkit Unlocker (or something like that) but when I looked in to that there was some doubt about it as someone alleged that this software added something to the system to defend against it ever being removed so in a way that's almost as bad as this current possible security risk.

The only way I can see to rid myself of this dialog is to add an exclusion in AVG not to reference systems32\drivers when it starts up which is convenient but hardly secure.

Can anyone advise on how I can get rid of this thing?  Whether it's legit or not, if it poses a threat I'd rather not have it hanging around!  I'm running XP inc SP3 and all latest patches and AVG v8.

Thanks in advance.
0
Comment
Question by:funasset
9 Comments
 
LVL 16

Expert Comment

by:JoWickerman
ID: 22632493
Hi,

Try the following:

Download process explorer from any site. (ProcessExplorer.zip)
Run Process Explorer
Find the process mchinjdrv.sys tree
Kill tree
Go to dos prompt
c:\> dir /S /AH /L mchinj*.sys
If you find the file:
attrib -s -h -r mchinjdrv.sys
rename mchinjdrv.sys mchinjdrv.old

Delete mchinjdrv.old

I think this should work.

Let me know,
Cheers.
0
 
LVL 5

Expert Comment

by:MattRichardson
ID: 22632756
0
 

Author Comment

by:funasset
ID: 22633663
Thanks - I'll look in to both of these when I get home.

I'll get back to you!
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 

Author Comment

by:funasset
ID: 22636059
Nope.  Tried the ProcessExplorer and there was no entry for mchinjdrv.sys and it didn't show up in DOS using the search either.  I'm mystified as to where this damned thing is!!
0
 
LVL 2

Expert Comment

by:ThinkSmartInc
ID: 22638843
I did some digging for you on this issue. mchinjdrv.sys is for MadCodeHook Injection Driver.  It is used in programs like Spy Sweeper to do injection tests in order to catch malicious code.  Unfortunately, the way it's loaded is that the file is dropped just long enough to load into memory and then is deleted, hence why you can never locate it.  If you are using Spy Sweeper, I'd recommend putting it into your exemption list, or use another Anti-Spyware program.  Below are a couple of sites that you can check out to give you more information regarding mchinjdrv.sys:

http://forums.comodo.com/virusmalware_removal_assistance/mchinjdrvsys-t9257.0.html

http://www.wilderssecurity.com/showthread.php?t=47024
0
 

Author Comment

by:funasset
ID: 22640052
Thanks for the links and I appreciate the digging.  It's a pesky little so-and-so isn't it.

It's AVG's Resident Shield that complains about it - I guess a recent signature update is why it's suddenly picking it up.  The trouble is that as far as I can see I can't add this specific file reference to it's exceptions list.  I can only add the path so that will mean telling AVG not to look in the whole system32\drivers directory which doesn't seem safe to me.  

I thought AVG was one of best AV/anti-spam tools around so if I have to replace it in order to get rid of this warning I'm not entirely sure what to put in it's place.  I can't find an email address or URL to contact the makers of AVG directly either so that I can pick their brains.  Tricky.

0
 
LVL 2

Accepted Solution

by:
ThinkSmartInc earned 500 total points
ID: 22664600
You can go to http://www.avg.com/support-technical and enter your license from AVG to get support.
0
 

Author Comment

by:funasset
ID: 22667397
Thanks.  In the past couple of days the warning hasn't appeared on startup 9 out of 10 times - why it appears on the other 1 occasion I really don't know.  I've scanned my PC with everything I can get my hands on and all reports indicate no infection so although this hook can be used by nasty hackers who need to get out more, it would seem that in this instance it is indeed a false positive and I'll have to contact AVG.

I appreciate your help.

Cheers.
0
 

Author Closing Comment

by:funasset
ID: 31502689
Many thanks for your efforts.
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
deny local logon 12 107
Risks of using Camtasia Studio 9 112
Cannot take ownership of a folder 8 48
SCSM reports export 1 20
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question